About SMB signing
SMB signing is a security feature in Windows that ensures the integrity of Common Internet File System (CIFS) messages, preventing man-in-the-middle attacks by adding a unique signature to each CIFS message. This signature ensures the messages cannot be tampered with during file sharing.
When secure traffic optimization is enabled on a server-side appliance, SteelHead reduces latency in file access while maintaining these security signatures. It still provides bandwidth optimizations like SDR (SteelHead Data Reduction), LZ compression, and TCP optimizations, even with CIFS messages being signed.
However, SMB signing can significantly reduce performance gains since it prevents the appliance from applying full optimization on CIFS connections. While SMB signing does offer security, many enterprises already rely on other security measures, such as firewalls and internal servers, which means SMB signing might add minimal extra security but at a high performance cost.
You should enable secure traffic optimization when Windows clients or servers have one of the these settings:
• SMB2/SMB3 signing set to required.
• SMB3 secure dialect negotiation is enabled.
• SMB3 encryption is enabled.
The secure traffic optimization is compliant with Microsoft’s SMB signing protocols for versions 1 through 3. It works with Windows domain security, supporting both native and mixed mode domains, and allows the server-side appliance to join the Windows trust domain. This trust relationship can be between parent-child, grandparent-child, or sibling domains.
Even if the client machine and target server are in different domains, as long as there’s a trust relationship between them, SteelHead can accelerate signed CIFS traffic. For maximum security, we recommend you configure SteelHeads as SSL peers, ensuring encrypted, signed CIFS traffic over the WAN.
SMB signing requires that the Windows domain functionality be at the Windows 2003 level or higher.